tpm2_create: Fix creation of ctx file if TPM2_CreateLoaded is not available.

If the TPM2 command CreateLoaded is not available the creation of a ctx
file with tpm2_create was not possible. Now a TPM2_Create and TPM2_Load is
used to create a ctx file if CreateLoaded is not available.

Signed-off-by: Juergen Repp <juergen_repp@web.de>

Author: JuergenReppSIT

lib/tpm2.c

@@ -2060,15 +2060,32 @@ tool_rc tpm2_create(ESYS_CONTEXT *esys_context, tpm2_loaded_object *parent_obj,
 tool_rc tpm2_create_loaded(ESYS_CONTEXT *esys_context,
         tpm2_loaded_object *parent_obj,
         const TPM2B_SENSITIVE_CREATE *in_sensitive,
-        const TPM2B_TEMPLATE *in_public, ESYS_TR *object_handle,
+        const TPM2B_PUBLIC *in_public, ESYS_TR *object_handle,
         TPM2B_PRIVATE **out_private, TPM2B_PUBLIC **out_public,
         TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash,
         TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle2,
         ESYS_TR shandle3) {
-
+    TPM2B_TEMPLATE template = { .size = 0 };
+   
     TSS2_SYS_CONTEXT *sys_context = NULL;
+    bool create_loaded_exists;
     tool_rc rc = tool_rc_success;
-    if (cp_hash->size || rp_hash->size) {
+    size_t offset = 0;
+
+    tool_rc tmp_rc = tpm2_mu_tpmt_public_marshal(
+                       &in_public->publicArea, &template.buffer[0],
+                       sizeof(TPMT_PUBLIC), &offset);
+    if (tmp_rc != tool_rc_success) {
+        return tmp_rc;
+    }
+
+    template.size = offset;
+
+    rc = tpm2_check_cc(esys_context, TPM2_CC_CreateLoaded, &create_loaded_exists);
+    if (rc != tool_rc_success) {
+        return rc;
+    }
+    if ((cp_hash->size || rp_hash->size) && create_loaded_exists) {
         rc = tpm2_getsapicontext(esys_context, &sys_context);
 
         if(rc != tool_rc_success) {
@@ -2077,9 +2094,9 @@ tool_rc tpm2_create_loaded(ESYS_CONTEXT *esys_context,
         }
     }
 
-    if (cp_hash->size) {
+    if (cp_hash->size && create_loaded_exists) {
         TSS2_RC rval = Tss2_Sys_CreateLoaded_Prepare(sys_context,
-            parent_obj->handle, in_sensitive, in_public);
+            parent_obj->handle, in_sensitive, &template);
         if (rval != TPM2_RC_SUCCESS) {
             LOG_PERR(Tss2_Sys_CreateLoaded_Prepare, rval);
             return tool_rc_general_error;
@@ -2115,19 +2132,39 @@ tool_rc tpm2_create_loaded(ESYS_CONTEXT *esys_context,
         return rc;
     }
 
-    TSS2_RC rval = Esys_CreateLoaded(esys_context, parent_obj->tr_handle,
-            shandle1, shandle2, shandle3, in_sensitive, in_public,
+    if (create_loaded_exists) {
+        TSS2_RC rval = Esys_CreateLoaded(esys_context, parent_obj->tr_handle,
+             shandle1, shandle2, shandle3, in_sensitive, &template,
             object_handle, out_private, out_public);
-    if (rval != TSS2_RC_SUCCESS) {
-        LOG_PERR(Esys_CreateLoaded, rval);
-        return tool_rc_from_tpm(rval);
-    }
+        if (rval != TSS2_RC_SUCCESS) {
+            LOG_PERR(Esys_CreateLoaded, rval);
+            return tool_rc_from_tpm(rval);
+        }
 
-    if (rp_hash->size) {
-        rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash,
-            parameter_hash_algorithm);
+        if (rp_hash->size) {
+            rc = tpm2_sapi_getrphash(sys_context, rval, rp_hash,
+                                     parameter_hash_algorithm);
+        }
+    } else {
+        TPML_PCR_SELECTION creationPCR = {
+            .count = 0,
+        };
+        
+        TSS2_RC rval = Esys_Create(esys_context, parent_obj->tr_handle,
+             shandle1, shandle2, shandle3, in_sensitive, in_public,
+             NULL, &creationPCR, out_private, out_public, NULL, NULL, NULL);
+        if (rval != TSS2_RC_SUCCESS) {
+            LOG_PERR(Esys_CreateLoaded, rval);
+            return tool_rc_from_tpm(rval);
+        }
+        rval = Esys_Load(esys_context, parent_obj->tr_handle,
+            shandle1, shandle2, shandle3, *out_private,
+            *out_public, object_handle);
+        if (rval != TPM2_RC_SUCCESS) {
+            LOG_PERR(Esys_Load, rval);
+            return tool_rc_from_tpm(rval);
+        }
     }
-
 tpm2_createloaded_skip_esapi_call:
     return rc;
 }

lib/tpm2.h

@@ -64,8 +64,11 @@ tool_rc tpm2_sess_get_noncetpm(ESYS_CONTEXT *esys_context,
     ESYS_TR session_handle, TPM2B_NONCE **nonce_tpm);
 
 tool_rc tpm2_policy_restart(ESYS_CONTEXT *esys_context, ESYS_TR session_handle,
-        ESYS_TR shandle1, ESYS_TR shandle2, ESYS_TR shandle3,
-        TPM2B_DIGEST *cp_hash, TPMI_ALG_HASH parameter_hash_algorithm);
+                            ESYS_TR shandle1, ESYS_TR shandle2,
+                            ESYS_TR shandle3, TPM2B_DIGEST *cp_hash,
+                            TPMI_ALG_HASH parameter_hash_algorithm);
+
+tool_rc tpm2_check_cc(ESYS_CONTEXT *ectx, uint32_t cc, bool *exists);
 
 tool_rc tpm2_get_capability(ESYS_CONTEXT *esys_context, ESYS_TR shandle1,
         ESYS_TR shandle2, ESYS_TR shandle3, TPM2_CAP capability,
@@ -212,7 +215,7 @@ tool_rc tpm2_create(ESYS_CONTEXT *esys_context, tpm2_loaded_object *parent_obj,
 tool_rc tpm2_create_loaded(ESYS_CONTEXT *esys_context,
         tpm2_loaded_object *parent_obj,
         const TPM2B_SENSITIVE_CREATE *in_sensitive,
-        const TPM2B_TEMPLATE *in_public, ESYS_TR *object_handle,
+        const TPM2B_PUBLIC *in_public, ESYS_TR *object_handle,
         TPM2B_PRIVATE **out_private, TPM2B_PUBLIC **out_public,
         TPM2B_DIGEST *cp_hash, TPM2B_DIGEST *rp_hash,
         TPMI_ALG_HASH parameter_hash_algorithm, ESYS_TR shandle2,

lib/tpm2_capability.c

@@ -5,27 +5,68 @@
 #include <string.h>
 
 #include "log.h"
+#include "tool_rc.h"
 #include "tpm2.h"
 #include "tpm2_capability.h"
 
-#define APPEND_CAPABILITY_INFORMATION(capability, field, subfield, max_count) \
-    if (fetched_data->data.capability.count > max_count - property_count) { \
-        fetched_data->data.capability.count = max_count - property_count; \
-    } \
-\
-    memmove(&(*capability_data)->data.capability.field[property_count], \
-            fetched_data->data.capability.field, \
-            fetched_data->data.capability.count * sizeof(fetched_data->data.capability.field[0])); \
-    property_count += fetched_data->data.capability.count; \
-\
-    (*capability_data)->data.capability.count = property_count; \
-\
-    if (more_data && property_count < count && fetched_data->data.capability.count) { \
-        property = (*capability_data)->data.capability.field[property_count - 1]subfield + 1; \
-    } else { \
-        more_data = false; \
+#define APPEND_CAPABILITY_INFORMATION(capability, field, subfield, max_count)  \
+  if (fetched_data->data.capability.count > max_count - property_count) {      \
+    fetched_data->data.capability.count = max_count - property_count;          \
+  }                                                                            \
+                                                                               \
+  memmove(&(*capability_data)->data.capability.field[property_count],          \
+          fetched_data->data.capability.field,                                 \
+          fetched_data->data.capability.count *                                \
+              sizeof(fetched_data->data.capability.field[0]));                 \
+  property_count += fetched_data->data.capability.count;                       \
+                                                                               \
+  (*capability_data)->data.capability.count = property_count;                  \
+                                                                               \
+  if (more_data && property_count < count &&                                   \
+      fetched_data->data.capability.count) {                                   \
+    property = (*capability_data)                                              \
+                   ->data.capability.field[property_count - 1] subfield +      \
+               1;                                                              \
+  } else {                                                                     \
+    more_data = false;                                                         \
+  }
+
+tool_rc tpm2_check_cc(ESYS_CONTEXT *ectx, uint32_t cc, bool *exists) {
+    TPMI_YES_NO more_data = TPM2_NO;
+    TPMS_CAPABILITY_DATA *cap = NULL;
+    uint32_t count = 1;
+    
+
+    TSS2_RC rc = Esys_GetCapability(
+        ectx,
+        ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
+        TPM2_CAP_COMMANDS,
+        cc,
+        count,
+        &more_data,
+        &cap
+    );
+
+    if (rc != TSS2_RC_SUCCESS) {
+        LOG_ERR("Esys_GetCapability(TPM2_CAP_COMMANDS, property=0x%08" PRIX32 " failed: 0x%x",
+                cc, rc);
+        return tool_rc_general_error;
     }
 
+    const TPML_CCA *cmds = &cap->data.command;
+
+    if (cmds->count == 1 && (cmds->commandAttributes[0] & 0xffff) == cc) {
+        Esys_Free(cap);
+        *exists = true;
+        return tool_rc_success;
+    }
+
+    Esys_Free(cap);
+    *exists = false;
+    return tool_rc_success;
+}
+
+
 tool_rc tpm2_capability_get_ex(ESYS_CONTEXT *ectx, TPM2_CAP capability,
         UINT32 property, UINT32 count, bool ignore_more_data,
         TPMS_CAPABILITY_DATA **capability_data) {

tools/tpm2_create.c

@@ -134,19 +134,9 @@ static tool_rc create(ESYS_CONTEXT *ectx) {
 
     /* TPM2_CC_CreateLoaded */
     if (ctx.is_createloaded) {
-        size_t offset = 0;
-        TPM2B_TEMPLATE template = { .size = 0 };
-        tool_rc tmp_rc = tpm2_mu_tpmt_public_marshal(
-                &ctx.object.in_public.publicArea, &template.buffer[0],
-                sizeof(TPMT_PUBLIC), &offset);
-        if (tmp_rc != tool_rc_success) {
-            return tmp_rc;
-        }
-
-        template.size = offset;
-
+        tool_rc tmp_rc;
         tmp_rc = tpm2_create_loaded(ectx, &ctx.parent.object,
-            &ctx.object.sensitive, &template, &ctx.object.object_handle,
+            &ctx.object.sensitive, &ctx.object.in_public, &ctx.object.object_handle,
             &ctx.object.out_private, &ctx.object.out_public, &ctx.cp_hash,
             &ctx.rp_hash, ctx.parameter_hash_algorithm,
             ctx.aux_session_handle[0], ctx.aux_session_handle[1]);